lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 9 Dec 2019 00:31:55 +0100
From:   Florian Westphal <>
To:     Eric Dumazet <>
Cc:     Pablo Neira Ayuso <>,
        Jozsef Kadlecsik <>,
        Florian Westphal <>,, netdev <>,
        Eric Dumazet <>,
        syzbot <>
Subject: Re: [PATCH netfilter] netfilter: bridge: make sure to pull arp
 header in br_nf_forward_arp()

Eric Dumazet <> wrote:
> syzbot is kind enough to remind us we need to call skb_may_pull()


> Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
> Signed-off-by: Eric Dumazet <>
> Reported-by: syzbot <>
> ---
> Note: Fixes: tag does not point to real bug origin, but is old enough
>      to cover all stable versions.

Indeed, looks like a day0 bug.  We don't have this problem for ipv4/6
because the prerouting hook does pskb_may_pull() as part of ipv4/6
header checks.  Arp doesn't have anything like it.

>  		nf_bridge_pull_encap_header(skb);
>  	}
> +	if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
> +		return NF_DROP;
> +
>  	if (arp_hdr(skb)->ar_pln != 4) {

Thats indeed the only location where we call NFPROTO_ARP hooks,
so this looks like the proper fix/location.

Thanks Eric!

Reviewed-by: Florian Westphal <>

Powered by blists - more mailing lists